Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONE’s Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018
Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service SpiderOakONE. I Attacks on SpiderOakONE and what we can learn from them.
Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service SpiderOakONE. I Attacks on SpiderOakONE and what we can learn from them. Disclaimer: All issues were reported on June 5th 2017 responsibly, and are fixed in version 6.4.0 of SpiderOakONE.
(Password) Encrypted Cloud Storage Traditional Cloud Storage raises some privacy concerns:
(Password) Encrypted Cloud Storage Traditional Cloud Storage raises some privacy concerns: I Besides us, who can read our files?
(Password) Encrypted Cloud Storage Traditional Cloud Storage raises some privacy concerns: I Besides us, who can read our files? I What happens to the files we delete? Or when we close our account?
(Password) Encrypted Cloud Storage Traditional Cloud Storage raises some privacy concerns: I Besides us, who can read our files? I What happens to the files we delete? Or when we close our account? I What if the Cloud Storage company is sold?
(Password) Encrypted Cloud Storage Traditional Cloud Storage raises some privacy concerns: I Besides us, who can read our files? I What happens to the files we delete? Or when we close our account? I What if the Cloud Storage company is sold? Solution: Encrypt files on the client before sending them to the server.
Threat Model ECS should provide more security than Traditional Cloud Storage: We want our files to stay secure even if the server turns malicious.
Threat Model ECS should provide more security than Traditional Cloud Storage: We want our files to stay secure even if the server turns malicious. ECS providers seem to agree: I Tresorit: We believe you should never have to ‘trust’ a cloud service I LastPass: No one at LastPass can ever access your sensitive data. I sync: We can’t read your files and no one else can either I pCloud: No one, even pCloud’s administrators, will have access to your content I SpiderOak: No Knowledge means we know nothing about the encrypted data you store on our servers I . . .
Threat Model But is a “malicious server” threat model actually used?
Threat Model But is a “malicious server” threat model actually used? For example, SpiderOak wrote (after we’d disclosed the issues we found): When we started building SpiderOak in 2006, the threat model was an attacker who would want to compromise SpiderOak and steal customer data [...] Because this was a legacy mindset, the SpiderOak ONE backup code base is not robust against a di ff erent kind of threat model: SpiderOak, the company, as the active attacker
Threat Model But is a “malicious server” threat model actually used? For example, SpiderOak wrote (after we’d disclosed the issues we found): When we started building SpiderOak in 2006, the threat model was an attacker who would want to compromise SpiderOak and steal customer data [...] Because this was a legacy mindset, the SpiderOak ONE backup code base is not robust against a di ff erent kind of threat model: SpiderOak, the company, as the active attacker Previous work that has examined ECS (SpiderOakONE in particular): I Bhargavan et al (2012) : External adversary. CSRF in web interface that could be used to learn location of shared files. I Wilson & Ateniese (2014) : Only considers file sharing. Found that the server can read files shared by the user.
Threat Model—Our attempt Assume an honest client (client software obtained before server turns malicious).
Threat Model—Our attempt Assume an honest client (client software obtained before server turns malicious). Informally, we try to answer the questions:
Threat Model—Our attempt Assume an honest client (client software obtained before server turns malicious). Informally, we try to answer the questions: 1. Are we secure against a passive adversary? I.e. is the client’s default behaviour secure?
Threat Model—Our attempt Assume an honest client (client software obtained before server turns malicious). Informally, we try to answer the questions: 1. Are we secure against a passive adversary? I.e. is the client’s default behaviour secure? 2. Are we secure against an active adversary? Is the protocols secure against misuse? What about the client implementation?
Threat Model—Our attempt Assume an honest client (client software obtained before server turns malicious). Informally, we try to answer the questions: 1. Are we secure against a passive adversary? I.e. is the client’s default behaviour secure? 2. Are we secure against an active adversary? Is the protocols secure against misuse? What about the client implementation? Formally: Indistinguishability experiment between an oracle (client) and adversary (server). Our definition only considers confidentiality. Refer to our paper for the details: https://eprint.iacr.org/2017/570
SpiderOakONE—Quick facts SpiderOakONE is an ECS with praise/endorsements from both Edward Snowden and the EFF. Uses “ No Knowledge ” (and “ Zero Knowledge ” before that) to describe their encryption routines. I Supports Windows, Mac and Linux (partial support for Android and iOS), I File sharing (single files and whole directories), I Written in Python = ⇒ decompilation is easy, I Certificate Pinning + TLS = ⇒ limits scope of attacks. Our review focused on version 6.1.5, released July 2016.
SpiderOakONE—Communication Client Server Input: password pw protocol ID pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Abort if invalid pid Auth with protocol identified by pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ! � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � . . . RPC f i ( x 1 , . . . , x n ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � v = f i ( x 1 , . . . , x 2 ) v store/process v � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � !
SpiderOakONE—Communication Client Server Input: password pw protocol ID pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Abort if invalid pid Auth with protocol identified by pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ! � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � . . . RPC f i ( x 1 , . . . , x n ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � v = f i ( x 1 , . . . , x 2 ) v store/process v � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ! Authentication: I Only run on first install. I Server picks what protocol to run. (4 possible, but only 2 were observed.) I All protocols are non-standard (i.e. “home-made”).
SpiderOakONE—Communication Client Server Input: password pw protocol ID pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � Abort if invalid pid Auth with protocol identified by pid � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ! � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � . . . RPC f i ( x 1 , . . . , x n ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � v = f i ( x 1 , . . . , x 2 ) v store/process v � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ! Authentication: I Only run on first install. I Server picks what protocol to run. (4 possible, but only 2 were observed.) I All protocols are non-standard (i.e. “home-made”). RPC: I Everything else (data transfer, device stats, etc.) I Comprehensive: Server can call ≈ 90 di ff erent procedures on the client.
Recommend
More recommend
